Malware

Oyster/Broomstick

Oyster/Broomstick is a backdoor malware family observed in active campaigns in 2025. It has been delivered via SEO poisoning and malvertising campaigns that targeted IT professionals with trojanized installers for legitimate administrative tools such as PuTTY and WinSCP. After execution, the malware establishes persistence by creating a scheduled task and communicates with command-and-control infrastructure approximately every three minutes using DLL-based execution or "DLL trickery." Reporting indicates Oyster/Broomstick remained an active threat even after dropping out of the top three most prevalent threats in a later 2025 reporting period. High-confidence indicators from the provided content include the use of fake PuTTY and WinSCP installers as infection lures, scheduled-task persistence, periodic beaconing every three minutes, and malicious domains identified by Arctic Wolf for blocking, though the specific domains are not included in the provided content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

reliaquest com threat huntingNews

Jan 14, 2026

Named malware family mentioned as a prior-period top threat that remains active; the content provides no additional behavioral or technical description.

vulnuNews

Jul 4, 2025

🎓️ Vulnerable U | #123 - Top Industry Cybersecurity News

Oyster/Broomstick is a backdoor malware delivered via SEO poisoning and trojanized installers of popular IT tools. It establishes persistence via scheduled tasks and communicates with its C2 every three minutes. The campaign targets IT professionals likely to have elevated privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.